[THIN] Re: 2003

From: "Ron Oglesby" <Roglesby@xxxxxxxxxxxx>

To: <thin@xxxxxxxxxxxxx>

Date: Sat, 16 Oct 2004 13:52:58 -0500

Gret thread. I mean we've hit a lot of remote access points here.
As for a security team wanting to ensure firewall, and virus patches and
what not on a remote CSG client just means they don?t understand the CSG
technology. I have had a few clients that switched OFF of VPNs to Citrix and
CSG and their networks were hit by slammer, sasser, etc from VPN clients.
Now the "problem" with CSG out of the box (and WI) is that it really doesn?t
provide that "You must connect from this type, or this corp owned computer"
functionality. For that you need client certs or soft tokens on the device
etc.
Of course I see more of an issue of requiring that "we" "own" the rmote
device when using a VPN technology. When using a remote CSG technology the
client doesn?t become a node on the network therefore it is less of a whole.
Now I am a believe in two factor authentication, and believe a CSG setup,
using two factor, and properly secured has a lot of advantages over
traditional VPN (along with a couple of disadvantages). But I think that
dollar for dollar CSG vs VPN for getting at a Citrix server is a no brainer
when compared on the basis of cost and security.
Now when you want to do things OUTSIDE of a citrix environment that becomes
an issue right? In those paces a nice SSL VPN becomes useful.
But as far as a security team wanting to restrict access to, lets say corp
owned remote computers (laptops whatever) then they need to implement client
certs and manage that etc. If they only want that type of security for the
CSG implementation then I would say they are nuts. I mean a soft VPN client
that can run on ANY device as compared to a Citrix client running through
CSG on a Kiosk is way more of a whole..
Just random thoughts and rants...
Ron
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Tony Lyne
Sent: Thursday, October 14, 2004 3:35 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: 2003
Quarantining is something that can be done with VPN type technology more
than an SSL based VPN technology like CSG.
Usually virus scanning is not a problem with implementations like CSG as
your not extending the corporate network to the client. But yes, keyboard
loggers are a problem.
One way you could get around it (if your worried about people logging
passwords) is use something like the addons for Webinterface like citrix4ge
have which restrict access to webinterface to specific groups externally.
Then use 2 factor authentication with a software token on the laptop. This
way only users with that laptop and are a member of the group will be able
to get into the web interface. Since the tokens change every few seconds its
pretty difficult for a hacker to get into the system with just a keyboard
logger as they will also need your token.
Just a thought.
Tony Lyne
Senior Systems Engineer
Computerland Central
P O Box 1470
PALMERSTON NORTH
Telephone (+64) 06 3537300
Facsimile (+64) 06 3566800
Mobile (+64) 0274 720696
E-mail Tony.Lyne@xxxxxxxxxxxxxxxxxx
Internet http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain information
that is confidential and subject to privilege. If you are not the intended
recipient, you are notified that any use, dissemination, distribution or
copying of this message or data is prohibited. If you have received this
e-mail in error, please notify me immediately and delete all material
pertaining to this e-mail. Thank you.
-----Original Message-----
From: BRUTON, Malcolm, FM [mailto:Malcolm.BRUTON@xxxxxxxx]
Sent: Thursday, 14 October 2004 9:01 p.m.
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: 2003
This is an interesting thread. Something that we are looking at but our
security guys are not so keen on CSG. We need something like a local cert
so that only a trusted machine can use CSG. We also need to know that the
machine has say a virus product and possibly a firewall running before they
can use CSG. Security guys reasons are that there could be a screen scraper
or keyboard logger pulling vital information. I mean CSG is more secure
than most solutions but if the machine that you are connecting from is
compromised it could still spell problems. Has anybody got any ideas how to
get round this? i.e. only allow CSG from company supplied laptops rather
than from say an Internet café. How we can run it with workstation certs
and server certs and know that virus protection is running. Our security
guys lean towards SLL/VPN's because you can look for local certs virus
protection etc before establishing the connection and in theory know that
the machine is safe before allowing a connection.
Thoughts?
Malcolm
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Alexander Danilychev
Sent: 13 October 2004 18:41
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: 2003
One of CSG advantages is the SSL protection from "man in the middle"
attacks. However, to realize full SSL potential both server and client
should have private certificates - not just the server (which is the case in
99% of cases - server has private cert and client has access to server's
public cert). Unfortunately this is hard to achieve with outside users where
connection security is the most vulnerable.
Regarding "pure" ICA versus RDP - Citrix is relying on Microsoft's
encryption providers/technology (certainly on Windows) and thus it is hard
to expect any advantages of ICA over RDP.
ALEX
>From: "Jeff Pitsch" <jpitsch@xxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] Re: 2003
>Date: Wed, 13 Oct 2004 11:48:25 -0400
>
>While both have encryption you can turn on, I would say with CSG your
>stream is more secure.
>
>Jeff Pitsch
>
>-----Original Message-----
>From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
>Behalf Of Bill Beckett
>Sent: Wednesday, October 13, 2004 11:35 AM
>To: 'thin@xxxxxxxxxxxxx'
>Subject: [THIN] 2003
>
>Back to the 2003 RDP vs Citrix ICA debate. If accessing published apps
>or
>desktops across the WAN, isn't ICA more secure or I should say can't you
>make ICA more secure with Secure Gateway? Or is that not an accurate
>assessment?
>
>********************************************************
>This Weeks Sponsor RTO Software
>Do you know which applications are abusing your CPU and memory?
>Would you like to learn? -- Free for a limited time!
>Get the RTO Performance Analyzer to quickly learn the applications, users,
>and time of day possible problems exist.
>http://www.rtosoft.com/enter.asp?id20
>**********************************************************
>Useful Thin Client Computing Links are available at:
>http://thin.net/links.cfm
>***********************************************************
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor RTO Software
Do you know which applications are abusing your CPU and memory?
Would you like to learn? -- Free for a limited time!
Get the RTO Performance Analyzer to quickly learn the applications, users,
and time of day possible problems exist.
http://www.rtosoft.com/enter.asp?id=320
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
****************************************************************************
*******
The Royal Bank of Scotland plc. Registered in Scotland No 90312.
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.
Authorised and regulated by the Financial Services Authority
This e-mail message is confidential and for use by the
addressee only. If the message is received by anyone other
than the addressee, please return the message to the sender
by replying to it and then delete the message from your
computer. Internet e-mails are not necessarily secure. The
Royal Bank of Scotland plc does not accept responsibility for
changes made to this message after it was sent.
Whilst all reasonable care has been taken to avoid the
transmission of viruses, it is the responsibility of the recipient to
ensure that the onward transmission, opening or use of this
message and any attachments will not adversely affect its
systems or data. No responsibility is accepted by The Royal
Bank of Scotland plc in this regard and the recipient should carry
out such virus and other checks as it considers appropriate.
Visit our websites at:
http://www.rbs.co.uk/CBFMhttp://www.rbsmarkets.com
****************************************************************************
****
********************************************************
This Weeks Sponsor RTO Software
Do you know which applications are abusing your CPU and memory?
Would you like to learn? -- Free for a limited time!
Get the RTO Performance Analyzer to quickly learn the applications, users,
and time of day possible problems exist.
http://www.rtosoft.com/enter.asp?id20
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor RTO Software
Do you know which applications are abusing your CPU and memory?
Would you like to learn? -- Free for a limited time!
Get the RTO Performance Analyzer to quickly learn the applications, users,
and time of day possible problems exist.
http://www.rtosoft.com/enter.asp?id20
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor RTO Software
Do you know which applications are abusing your CPU and memory?
Would you like to learn? -- Free for a limited time!
Get the RTO Performance Analyzer to quickly learn the applications, users,
and time of day possible problems exist.
http://www.rtosoft.com/enter.asp?id20
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm